-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regular schedule for Security releases? #647
Comments
Seems sensible to me. Two thoughts:
|
What would be a good schedule? How about monthly if there is anything to release? |
In terms of schedule, I think it depends on how much we have to get in. I think we want the smallest number (assuming less release is less overall work) that gets fixes out in a reasonable timeframe. I was thinking maybe every 2 months? |
Sec releases take a reasonable amount of work, and block CI for days, monthly seems too fast to me. We seem to be doing about 4 a year, maybe keeping to that pace, but with a more predictable cadence, would work. |
Fixing (or at least mitigating) both of those problems would seem to be decent strategic initiatives, if we have someone on TSC willing to do the work and championing them. (I might be able to take on the CI one at some point, but right now I'm awaiting a decision on my request to re-join TSC.) |
I’m a bit confused; when would you have a security fix, but not release it more-or-less immediately, or at the soonest opportunity? |
Lots of security issues are things that have existed since the early days of node, can't really be prevented (like a DoS), but the sensitivity to them can be adjusted. Take the last round of security fixes. IMO, they could have been done mostly (entirely?) as open PRs in node, not in private. Sure, people could be watching our PRs, and see the DoS opportunity and exploit... but none of them allowed node servers to be smashed, and the fix just adjusts a knob, making the DoS linerally less effective. Anyone who has heard of slowloris and wanted to play around with node could already have found them, and with a large enough bot farm, been exploiting them. Another category of recent vulns that required web servers to use specific coding patterns for the issue to be exploited. Its hard to argue about how common the patterns are, as they do exist, but most most node servers aren't affected. A heartbleed level attack would be fixed ASAP. But those aren't the common security issues we release in security updates, its just bugs/features, that have some credible possibility of security implications, to someone, somewhere, so we have to advertise them via CVE, just in case. |
Sure, it makes sense that not everything is a "stop the world, release now" situation - but presumably a normal release happens pretty regularly whenever there's anything landed and unreleased, so any non-urgent security fixes would just get naturally shipped with those, no? |
We don't mix security and non-security updates in a single release. Not as far as I know. I'm not sure of the history of why this is, but I assume its to make updates as safe as possible for people who don't intend to make updates to their deployed-and-working apps unless they have to. Also, security updates get released simultaneously across all release lines, so that old release lines aren't "vulnerable" while new lines are protected. This is unlike normal features and bugs, which bake a while in current before they are considered stable enough to be backported to LTS. @MylesBorins @rvagg perhaps can comment on this. |
You are correct that we specifically ensure that in security releases the only changes are for the security-related fixes. And we do it that way as you said |
I have very mixed feelings on this If we were to do it I think a cadence that would make sense would be quarterly. With that being said the timing that we have might be a bit rigid... we don't know when very serious vulnerabilities come in... and while we do end up having a backlog of "non critical" sercurity bugs I'm unsure that we want to be giving up 1 in 3 LTS releases to security releases. Alternatively, perhaps we can focus on improving our ability to test and prepare security releases with a smaller sub-set of CI... that seems to be the bigger issue than cadence to me. Please correct me if I am wrong |
We have a concept of a "missed target" in HackerOne. I have not found this defined anywhere in our policies, but maybe I missed it. Have we defined a max time between a vulnerability is sent and a fix is received? |
It's a HackerOne setting that applies. Defaults (and maximum) that apply to projects are:
|
Basically with a quarterly schedule we are almost 100% certain to go over that maximum time to resolution. |
That's true but sometimes you can't rush a fix.. though? we might be able to opt-in for an extended period but I tried that before for the ecosystem program and seems like this is a max they have site-wide but perhaps things have changed. Also, more info on the response targets at https://docs.hackerone.com/programs/response-target-metrics.html |
The problem I see with the ad-hoc release schedule is it take a fair amount of work, and we can't plan ahead very well to find available people. Also, consumers of node can't plan very far ahead to receive the update. Those aren't very large problems, though, and arguably aren't problems at all. We don't have releases triggered by a reported vuln very often, AFAICT. Even the javascript url one, though reported externally, had its release delayed so we could batch it up with the HTTP DoS work that was in progress. This makes it seem to me that the issues are not so urgent that we are working to to get them turned around quickly, and a regular cadence might work. On the other hand, I agree that if preping the releases was less work and less disruptive, doing them on-demand would be easier, too. This may be anathema to some, but one way to do this would be to do more of the vulnerability fixing in public github. I know that we have a reflex to keep anything that could have any security implication private, but for example, nodejs/node#8081 was already reported (and fixed) publically in 8.x, but we decided to issue a CVE and backport the fix to 6.x. This got it classified as a vulnerability, and the fix secluded into nodejs-private. IMO it coulc have been fixed and released faster through the regular LTS process. We have a fairly rapid and well-oiled cadence for non-security release maintenance, if we could funnel fixes that make node more secure into that process things might be smoother. PR review in particular would be improved, and lack of feedback from users was an issue in the last set of security releases. |
I think we should: a. produce some good guidelines on what we consider a security vuln and what does not. As an example, if the vulnerability is already public we could speed up a fix by developing it in the open. As an example, we do not have a documented threat model. |
I'd like to kick this again, especially after the recent sec release that was motivated by the 6.x deadline (or so it appeared to me). Regular deadlines might get low severity sec issues a bit more priority. Following on to @mcollina 's comments: a. If publically known vulns can be fixed in the open I too think they'd get fixed and released faster. |
And we know have a concrete example of a CVE being addressed as a public PR: nodejs/node#26537, so the above two comments are no longer hypothetical, but actual. /to @nodejs/tsc @nodejs/security @nodejs/security-wg |
We could also look at past security releases to understand the ratio between what we might have been able to do in public versus where that won't work. Past does not predict the future but might provide some insight into how much benefit we would get from the suggestion. |
In my very personal opinion, the June 2018 release had some genuninely remote-exploitable vulns, most of the others require carefully written user-code ot obscure scenarios (malicious servers, running debuggers on untrusted networks, timing attacks from the same machine, etc.). DoS is always possible, with sufficient attacker resource, mostly in the DoS fixes we provide user-control to limit size or time for various protocol elements, it looks like most of the DoS could have been fixed in the open.
|
I think we should have this be discussed by the security wg and the Release wg to see if we can get any consensus there. Adding agenda tags |
I don't want to displace any scheduled releases with a planned security release (unplanned high severity releases may disrupt scheduled releases, but that's just what happens). Last sec release was Feb, 2019, how about another in June? Sometime between June 4th and 21st looks free: https://github.com/nodejs/Release/wiki. How about we plan for a release then, and another 4 months later, and see if knowing before hand when we'll need help from releasers to do a release, and planning the time so it doesn't bump any other scheduled releases is helpful, and whether having a deadline helps get movement on any of the slowly being worked on open issues. @nodejs/releasers thoughts on what would be a non-disruptive time? |
https://github.com/nodejs/Release/wiki#q2-2019-dubnium-10x-release-schedule We have a June 25th date available (if we want) for doing a security release. I'll open an issue in the private repo to see if there is anything we want to release then. |
@sam-github would it make sense to close this issue now? |
I think @sam-github suggested this in an issue, but I think it would be good to have a specific issue to discuss.
I'm +1. It's understood that we will still have to have some emergency security releases based on disclosed vulnerabilities or OpenSSL updates but it seems like planning for a regular cadence would be good both for the project and the consumers or Node.js.
@nodejs/security-wg
The text was updated successfully, but these errors were encountered: